I'm Dana Gardner, Principal Analyst at Interarbor Solutions,
and I'll be your host and moderator throughout these business
transformation discussions. The conference itself is focusing on "big data -- the transformation we need to embrace today."

We're here now with a panel of experts to explore new trends and solutions in the area of risk management and analysis. We'll learn how large enterprises are delivering risk assessments and risk analysis,
and we'll see how big data can be both an area to protect, but also used as a tool for better understanding and mitigating
risks.

Gardner: Why is the issue of risk analysis so prominent now? What's
different from, say, five years ago?

Jones: The information security
industry has struggled with getting the attention of and support from
management and businesses for a long time, and it has finally come
around to the fact that the executives care about loss exposure -- the
likelihood of bad things happening and how bad those things are likely
to be.

It's only when we speak in those terms of risk that we make sense to those executives. And
once we do that, we begin to gain some credibility and traction in terms
of getting things done.

Gardner: So we really need to talk about this in the terms that a business executive would appreciate, not necessarily an IT executive.

Effects on business

Jones: Absolutely. They're tired of hearing about vulnerabilities, hackers, and that sort of thing. It’s only when we can talk in terms of the effect on the business that it makes sense to them.

Gardner:
Jack Freund, I should also point out that you have more than 14 years
in enterprise IT experience. You're a visiting professor at DeVry University and you chair a risk-management subcommittee for ISACA. Do you agree?

Freund:
The problem that we have as a profession, and I think it’s a big
problem, is that we have allowed ourselves to escape the natural trend
that the other IT professionals have already taken.

There was a time, years ago, when you could code in
the basement, and nobody cared much about what you were doing. But now,
largely speaking, developers and systems administrators are very focused on meeting the goals of the organization.

Security
has been allowed to miss that boat a little. We have been allowed to
hide behind this aura of a protector and of an alerter of terrible
things that could happen, without really tying ourselves to the problem
that the organizations are facing and how can we help them succeed in
what they're doing.

Gardner: Jim Hietala, how do you see things that are different now than a few years ago when it comes to risk assessment?

Hietala:
There are certainly changes on the threat side of the landscape. Five
years ago, you didn’t really have hacktivism or this notion of an advanced persistent threat (APT).
That highly skilled attacker taking aim at governments and large
organizations didn’t really exist -– or didn’t exist to the degree it
does today. So that has changed.

You also have big changes to the IT platform
landscape, all of which bring new risks that organizations need to
really think about. The mobility trend, the cloud trend, the big-data trend that we are talking about today, all of those things bring new risk to the organization.

As
Jack Jones mentioned, business executives don't want to hear about,
"I've got 15 vulnerabilities in the mobility part of my organization."
They want to understand what’s the risk of bad things happening because
of mobility, what we're doing about it, and what’s happening to risk
over time.

So it’s a combination of changes in the
threats and attackers, as well as just changes to the IT landscape, that
we have to take a different look at how we measure and present risk to
the business.

Gardner: Because we're at a big-data conference, do you share my perception, Jack Jones, that big
data can be a source of risk and vulnerability, but also the analytics and the business intelligence (BI)
tools that we're employing with big data can be used to alert you to
risks or provide a strong tool for better understanding your true risk
setting or environment?

Crown jewels

Jones:
You are absolutely right. You think of big data and, by definition,
it’s where your crown jewels, and everything that leads to crown jewels
from an information perspective, are going to be found. It's like
one-stop shopping for the bad guy, if you want to look at it in that
context. It definitely needs to be protected. The architecture
surrounding it and its integration across a lot of different platforms
and such, can be leveraged and probably result in a complex landscape to
try and secure.

There are a lot of ways into that data and such, but
at least if you can leverage that same big data architecture, it's an
approach to information security. With log data and other threat and
vulnerability data and such, you should be able to make some significant
gains in terms of how well-informed your analyses and your decisions
are, based on that data.

Gardner: Jack Freund,
do you share that? How does big data fit into your understanding of the
evolving arena of risk assessment and analysis?

Freund:
If we fast-forward it five years, and this is even true today, a lot of
people on the cutting edge of big data will tell you the problem isn’t
so much building everything together and figuring out what it can do.
They are going to tell you that the problem is what we do once we figure
out everything that we have. This is the problem that we have
traditionally had on a much smaller scale in information security. When
everything is important, nothing is important.

Gardner:
To follow up on that, where do you see the gaps in risk analysis in
large organizations? In other words, what parts of organizations aren’t
being assessed for risk and should be?

Freund:
The big problem that exist largely today in the way that risk
assessments are done, is the focus on labels. We want to quickly address
the low, medium, and high things and know where they are. But the
problem is that there are inherent problems in the way that we think
about those labels, without doing any of the analysis legwork.

We end up with these very long lists of horrible, terrible things that
can be done to us in all sorts of different ways, without any relevance
to the overall business of the organization.

I
think that’s what’s really missing is that true analysis. If the system
goes offline, do we lose money? If the system becomes compromised, what
are the cost-accounting things that will happen that allow us to figure out how much money we're going to lose.

That
analysis work is largely missing. That’s the gap. The gap is if the
control is not in place, then there’s a risk that must be addressed in
some fashion. So we end up with these very long lists of horrible,
terrible things that can be done to us in all sorts of different ways,
without any relevance to the overall business of the organization.

Every
day, our organizations are out there selling products, offering
services, which is and of itself, its own risky venture. So tying what
we do from an information security perspective to that is critical for
not just the success of the organization, but the success of our
profession.

Gardner: So we can safely say that large companies are probably pretty good at a cost-benefit analysis
or they wouldn't be successful. Now, I guess we need to ask them to
take that a step further and do a cost-risk analysis, but in business
terms, being mindful that their IT systems might be a much larger part
of that than they had at once considered. Is that fair, Jack?

Risk implications

Jones:
Businesses have been making these decisions, chasing the opportunity,
but generally, without any clear understanding of the risk implications,
at least from the information security perspective. They will have us
in the corner screaming and throwing red flags in there, and talking
about vulnerabilities and threats from one thing or another.

But,
we come to the table with red, yellow, and green indicators, and on the
other side of the table, they’ve got numbers. Well, here is what we
expect to earn in revenue from this initiative, and the information
security people are saying it’s crazy. How do you normalize the
quantitative revenue gain versus red, yellow, and green?

Gardner:
Jim Hietala, do you see it in the same red, yellow, green or are there
some other frameworks or standard methodologies that The Open Group is
looking at to make this a bit more of a science?

Hietala: Probably four years ago, we published what we call the Risk Taxonomy Standard
which is based upon FAIR, the management framework that Jack Jones
invented. So, we’re big believers in bringing that level of precision to
doing risk analysis. Having just gone through training for FAIR myself,
as part of the standards effort that we’re doing around certification, I
can say that it really brings a level of precision and a depth of
analysis to risk analysis that's been lacking frequently in IT security
and risk management.

In order to be successful sitting between these two groups, you have to be able to speak the language of both of those groups.

Gardner:
We’ve talked about how organizations need to be mindful that their
risks are higher and different than in the past and we’ve talked about
how standardization and methodologies are important, helping them better
understand this from a business perspective, instead of just a
technology perspective.

But, I'm curious about a
cultural and organizational perspective. Whose job should this fall
under? Who is wearing the white hat in the company and can rally the
forces of good and make all the bad things managed? Is this a single
person, a cultural, an organizational mission? How do you make this work
in the enterprise in a real-world way?

Freund:
The profession of IT risk management is changing. That profession will
have to sit between the business and information security inclusive of
all the other IT functions that make that happen.

In
order to be successful sitting between these two groups, you have to be
able to speak the language of both of those groups. You have to be able
to understand profit and loss and capital expenditure on the business
side. On the IT risk side, you have to be technical enough to do all
those sorts of things.

But I think the sum total of
those two things is probably only about 50 percent of the job of IT risk
management today. The other 50 percent is communication. Finding ways
to translate that language and to understand the needs and concerns of
each side of that relationship is really the job of IT risk management.

To
answer your question, I think it’s absolutely the job of IT risk
management to do that. From my own experiences with the FAIR framework, I
can say that using FAIR is the Rosetta Stone for speaking between those
two groups.

Necessary tools

It
gives you the tools necessary to speak in the insurance and risk terms
that business appreciate. And it gives you the ability to be as
technical and just nerdy, if you will, as you need to be in order to
talk to IT security and the other IT functions in order to make sure
everybody is on the same page and everyone feels like their concerns are
represented in the risk-assessment functions that are happening.

Jones:
I agree with what Jack said wholeheartedly. I would add, though, that
integration or adoption of something like this is a lot easier the
higher up in the organization you go.

For CFOs
traditionally, their neck is most clearly on the line for risk-related
issues within most organizations. At least in my experience, if you get
their ear on this and present the information security data analyses to
them, they jump on board, they drive it through the organization, and
it's just brain-dead easy.

If you try to drive it up
through the ranks, maybe you get an enthusiastic supporter in the
information security organization, especially if it's below the CISO
level, and they try a grassroots sort of effort to bring it in, it's a
tougher thing. It can still work. I've seen it work very well, but, it's
a longer row to hoe.

Gardner: There have been a
lot of research, studies, and surveys on data breaches. What are some
of the best sources, or maybe not so good sources, for actually
measuring this? How do you know if you’re doing it right? How do you
know if you're moving from yellow to green, instead of to red?

Becoming very knowledgeable about the risk posture and the risk tolerance of the organization is a key.

Freund:
There are a couple of things in that question. The first is there's
this inherent assumption in a lot of organizations that we need to move
from yellow to green, and that may not be the case. So, becoming very
knowledgeable about the risk posture and the risk tolerance of the
organization is a key.

That's part of the official
mindset of IT security. When you graduate an information security person
today, they are minted knowing that there are a lot of bad things out
there, and their goal in life is to reduce them. But, that may not be
the case. The case may very well be that things are okay now, but we
have bigger things to fry over here that we’re going to focus on. So,
that's one thing.

The second thing, and it's a very
good question, is how we know that we’re getting better? How do we trend
that over time? Overall, measuring that value for the organization has
to be able to show a reduction of a risk or at least reduction of risk
to the risk-tolerance levels of the organization.

Calculating
and understanding that requires something that I always phrase as we
have to become comfortable with uncertainty. When you are talking about
risk in general, you're talking about forward-looking statements about
things that may or may not happen. So, becoming comfortable with the
fact that they may or may not happen means that when you measure them
today, you have to be willing to be a little bit squishy in how you’re
representing that.

In FAIR and in other academic
works, they talk about using ranges to do that. So, things like high,
medium ,and low, could be represented in terms of a minimum, maximum,
and most likely. And that tends to be very, very effective. People can
respond to that fairly well.

Gathering data

Jones:
With regard to the data sources, there are a lot of people out there
doing these sorts of studies, gathering data. The problem that's
hamstringing that effort is the lack of a common set of definitions,
nomenclature, and even taxonomy around the problem itself.

You
will have one study that will have defined threat, vulnerability, or
whatever differently from some other study, and so the data can't be
normalized. It really harms the utility of it. I see data out there and I
think, "That looks like that can be really useful." But, I hesitate to
use it because I don't understand. They don't publish their definitions,
approach, and how they went after it.

There's just so
much superficial thinking in the profession on this that we now have
dug under the covers. Too often, I run into stuff that just can't be
defended. It doesn’t make sense, and therefore the data can't be used.
It's an unfortunate situation.

I do think we’re heading in a positive direction. FAIR can provide a normalizing structure for that sort of thing. The VERIS
framework, which by the way, is also derived in part from FAIR, also
has gained real attraction in terms of the quality of the research they
have done and the data they’re generating. We’re headed in the right
direction, but we’ve got a long way to go.

Gardner:
Jim Hietala, we’re seemingly looking at this on a company-by-company
basis. But, is there a vertical industry slice or industry-wide slice
where we could look at what's happening to everyone and put some
standard understanding, or measurement around what's going on in the
overall market, maybe by region, maybe by country?

The ones that have embraced FAIR tend to be the ones that overall feel that risk is an integral part of their business strategy.

Hietala:
There are some industry-specific initiatives and what's really needed,
as Jack Jones mentioned, are common definitions for things like breach,
exposure, loss, all those, so that the data sources from one
organization can be used in another, and so forth. I think about the
financial services industry. I know that there is some information
sharing through an organization called the FS-ISAC about what's happening to financial services organizations in terms of attacks, loss, and those sorts of things.

There's
an opportunity for that on a vertical-by-vertical basis. But, like Jack
said, there is a long way to go on that. In some industries, healthcare
for instance, you are so far from that, it's ridiculous. In the US
here, the HIPAA
security rule says you must do a risk assessment. So, hospitals have
done annual risk assessments, will stick the binder on the shelf, and
they don't think much about information security in between those annual
risk assessments. That's a generalization, but various industries are
at different places on a continuum of maturity of their risk management
approaches.

Gardner: As we get better with
having a common understanding of the terms and the measurements and we
share more data, let's go back to this notion of how to communicate this
effectively to those people that can use it and exercise change
management as a result. That could be the CFO, the CEO, what have you,
depending on the organization.

Do you have any
examples? Can we look to an organization that's done this right, and
examine their practices, the way they’ve communicated it, some of the
tools they’ve used and say, "Aha, they're headed in the right direction
maybe we could follow a little bit." Let's start with you, Jack Freund.

Freund:
I have worked and consulted for various organizations that have done
risk management at different levels. The ones that have embraced FAIR
tend to be the ones that overall feel that risk is an integral part of
their business strategy. And I can give a couple of examples of
scenarios that have played out that I think have been successful in the
way they have been communicated.

Coming to terms

The
key to keep in mind with this is that one of the really important
things is that when you're a security professional, you're again trained
to feel like you need results. But, the results for the IT risk
management professional are different. The results are "I've
communicated this effectively, so I am done." And then whatever the
results are, are the results that needed to be. And that's a really hard
thing to come to terms with.

I've been involved in
large-scale efforts to assess risk for a cloud venture. We needed to
move virtually every confidential record that we have to the cloud in
order to be competitive with the rest of our industry. If our
competitors are finding ways to utilize the cloud before us, we can lose
out. So, we need to find a way to do that, and to be secure and
compliant with all the laws and regulations and such.

Through
that scenario, one of the things that came out was that key ownership
became really, really important. We had the opportunity to look at the
various control structures and we analyzed them using FAIR. What we
ended up with was sort of a long-tail risk. Most people will probably do
their job right over a long enough period of time. But, over that same
long period of time, the odds of somebody making a mistake not in your
favor are probably likely, but, not significantly enough so that you
can't make the move.

But, the problem became that the
loss side, the side that typically gets ignored with traditional
risk-assessment methodologies, was so significant that the organization
needed to make some judgment around that, and they needed to have a
sense of what we needed to do in order to minimize that.

That
became a big point of discussion for us and it drove the conversation
away from bad things could happen. We didn’t bury the lead. The lead was
that this is the most important thing to this organization in this
particular scenario.

Through that scenario, one of the things that came out was that key ownership became really, really important.

So,
let's talk about things we can do. Are we comfortable with it? Do we
need to make any sort of changes? What are some control opportunities?
How much do they cost? This is a significantly more productive
conversation than just, "Here is a bunch of bad things that happen. I'm
going to cross my arms and say no."

Gardner: Jack Jones, examples at work?

Jones:
In an organization that I've been working with recently, their board of
directors said they wanted a quantitative view of information security
risk. They just weren’t happy with the red, yellow, green. So, they came
to us, and there were really two things that drove them there. One was
that they were looking at cyber insurance. They wanted to know how much
cyber insurance they should take out, and how do you figure that out
when you've got a red, yellow, green scale?

They were
able to do a series of analyses on a population of the scenarios that
they thought were relevant in their world, get an aggregate view of
their annualized loss exposure, and make a better informed decision
about that particular problem.

Gardner: I'm
curious how prevalent cyber insurance is, and is that going to be a
leveling effect in the industry where people speak a common language the
equivalent of actuarial tables, but for security in enterprise and
cyber security?

Jones: One would dream and hope,
but at this point, what I've seen out there in terms of the basis on
which insurance companies are setting their premiums and such is
essentially the same old “risk assessment” stuff that the industry has
been doing poorly for years. It's not based on data or any real analysis
per se, at least what I’ve run into. What they do is set their premiums
high to buffer themselves and typically cover as few things as
possible. The question of how much value it's providing the customers
becomes a problem.

Looking to the future

Gardner:
We’re coming up on our time limit. So, let's quickly look to the
future. Is there such thing as risk management as a service? Can we
outsource this? Is there a way in which moving more of IT into cloud or
hybrid models would mitigate risk, because the cloud provider would
standardize? Then, many players in that environment, those who were
buying those services, would be under that same umbrella? Let's start
with you Jim Hietala. What's the future of this and what do the cloud
trends bring to the table?

Hietala: I’d start
with a maxim that comes out of the financial services industry, which is
that you can outsource the function, but you still own the risk. That's
an unfortunate reality. You can throw things out in the cloud, but it
doesn’t absolve you from understanding your risk and then doing things
to manage it to transfer it if there's insurance or whatever the case
may be.

That's just a reality. Organizations in the
risky world we live in are going to have to get more serious about doing
effective risk analysis. From The Open Group standpoint, we see this as
an opportunity area.

Risk is a system of systems. There are a series of pressures that are
applied, and a series of levers that are thrown in order to release that
sort of pressure.

As I mentioned, we’ve
standardized the taxonomy piece of the Factor Analysis Information Risk (FAIR)framework. And we really see an
opportunity around the profession going forward to help the
risk-analysis community by further standardizing FAIR and launching a
certification program for a FAIR-certified risk analyst. That's in
demand from large organizations that are looking for evidence that
people understand how to apply FAIR and use it in doing risk analyses.

Gardner: Jack Freund, looking into your crystal ball, how do you see this discipline evolving?

Freund:
I always try to consider things as they exist within other systems.
Risk is a system of systems. There are a series of pressures that are
applied, and a series of levers that are thrown in order to release that
sort of pressure.

Risk will always be owned by the
organization that is offering that service. If we decide at some point
that we can move to the cloud and all these other things, we need to
look to the legal system. There is a series of pressures that they are
going to apply, and who is going to own that, and how that plays itself
out.

If we look to the Europeans and the way that
they’re managing risk and compliance, they’re still as strict as we in
United States think that they may be about things, but there's still a
lot of leeway in a lot of the ways that laws are written. You’re still
being asked to do things that are reasonable. You’re still being asked
to do things that are standard for your industry. But, we'd still like
the ability to know what that is, and I don't think that's going to go
away anytime soon.

Judgment calls

We’re
still going to have to make judgment calls. We’re still going to have
to do 100 things with a budget for 10 things. Whenever that happens, you
have to make a judgment call. What's the most important thing that I
care about? And that's why risk management exists, because there’s a
certain series of things that we have to deal with. We don't have the
resources to do them all, and I don't think that's going to change over
time. Regardless of whether the landscape changes, that's the one that
remains true.

Gardner: It sounds as if we’re continuing down the path of being
mostly reactive. Is there anything you can see on the horizon that would
perhaps tip the scales, so that the risk management and analysis
practitioners can really become proactive and head things off before
they become a big problem?

Jones: If we were to
take a snapshot at any given point in time of an organization’s loss
exposure, how much risk they have right then, that's a lagging indicator
of the decisions they’ve made in the past, and their ability to execute
against those decisions.

We can do some great
root-cause analysis around that and ask how we got there. But, we can
also turn that coin around and ask how good we are at making
well-informed decisions, and then executing against them, the asking
what that implies from a risk perspective downstream.

If
we understand the relationship between our current state, and past and
future states, we have those linkages defined, especially, if we have an
analytic framework underneath it. We can do some marvelous what-if
analysis.

We’re still going to have to make judgment calls. We’re still going to have to do 100 things with a budget for 10 things.

What if this variable changed in our landscape? Let's run a few thousand Monte Carlo simulations
against that and see what comes up. What does that look like? Well,
then let's change this other variable and then see which combination of
dials, when we turn them, make us most robust to change in our
landscape.

But again, we can't begin to get there,
until we have this foundational set of definitions, frameworks, and such
to do that sort of analysis. That's what we’re doing with the Factor Analysis Information Risk (FAIR)framework, but
without some sort of framework like that, there's no way you can get
there.

Gardner: I am afraid we’ll have to leave
it there. We’ve been talking with a panel of experts on how new trends
and solutions are emerging in the area of risk management and analysis.
And we’ve seen how new tools for communication and using big data to
understand risks are also being brought to the table.

This
special BriefingsDirect discussion comes to you in conjunction with The
Open Group Conference in Newport Beach, California. I'd like to thank
our panel: Jack Freund, PhD, Information Security Risk Assessment
Manager at TIAA-CREF. Thanks so much Jack.

Freund: Thank you, Dana.

Gardner: We’ve also been speaking with Jack Jones, Principal at CXOWARE.

Jones: Thank you. Thank you, pleasure to be here.

Gardner: And last, Jim Hietala, the Vice President for Security at The Open Group. Thanks.

Hietala: Thanks, Dana.

Gardner:
This is Dana Gardner, Principal Analyst at Interarbor Solutions; your
host and moderator through these thought leadership interviews. Thanks
again for listening and come back next time.

Transcript of a BriefingsDirect podcast on best managing the risks from expanded use and distribution of big data enterprise assets. Copyright The Open Group
and Interarbor Solutions, LLC, 2005-2013. All rights reserved.